package cn.flightcloud.auth.config.oauth;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;

//@Configuration
//@EnableResourceServer
//@Order(6)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
	private static final String DEMO_RESOURCE_ID = "order";

	@Autowired
	private AuthenticationManager authenticationManager;

	@Override
	public void configure(ResourceServerSecurityConfigurer resources) {
		resources.authenticationManager(authenticationManager);
		resources.resourceId(DEMO_RESOURCE_ID).stateless(true);
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
//		http.exceptionHandling().accessDeniedHandler(accessDeniedHandler)
		// @formatter:off
		http.anonymous().disable();
		http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and().authorizeRequests()
				// .antMatchers("/product/**").access("#oauth2.hasScope('select')
				// and hasRole('ROLE_USER')")
				.antMatchers("/order/**").authenticated()// 配置order访问控制，必须认证过后才可以访问
				.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
		// @formatter:on
		super.configure(http);
	}

//	@Override
//	public void configure(HttpSecurity http) throws Exception {
//		http.
//		anonymous().disable()
//		.requestMatchers().antMatchers("/user/**")
//		.and().authorizeRequests()
//		.antMatchers("/user/**").access("hasRole('ADMIN')")
//		.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
//	}

}
